It seems as if LastPass, the password vault application used by many individuals and companies both large and small, can’t catch a break. In the latest, as detailed by the company, a breach occurred from August to October 2022 (yes, we are learning of this in Spring 2023) that appears to put many customers at risk and warrants the attention of any who use the application. “Attention,” means change your Master Password and all passwords within the application.
The LastPass write up is interesting as it highlights the depth of expertise of the “threat actor” and patience as well. The threat actor (not further identified) was responsible for the previous breach of the company, and it was during that breach that they harvested information which would prove instrumental in diving deeper into LastPass. This dive by the criminal (or nation state actor) brought them to the AWS S3 storage environment where “the encrypted cloud-based storage services house backups of LastPass customer and encrypted vault data. “ The nefarious ones needed a specific keys to access the encrypted data and “the threat actor targeted one of the four DevOps engineers who had access to the decryption keys needed to access the cloud storage service.”
How the threat actor compromised the LastPass DevOps engineer
The engineer was identified. The engineer’s home computer was also used for accessing his work environment. Based on the actions taken, it is clear that the home computer which was being used for work wasn’t not hardened to the level that a LastPass issued device may have been. The engineer, like so many others, used a third-party media application, and that application had been compromised just days after the first hack of LastPass. Thus, the threat actor harvest of the credentials of the third party software’s customers allowed the marrying of the LastPass identity with the newly compromised identity within the media app and the targeting of the engineer was complete.
Now to execution.
The threat actors then pushed to their target, keylogger software. Once in place on the engineer’s machine, they were able to capture all keystrokes. Over the course of an unidentified period of time, the login credentials that included the master password of the engineer as he logged into LastPass infrastructure was revealed. With this in hand, the threat actor was able to enter the LastPass environment and unlock the previously bricked data, as they now had the keys to the encrypted data.
Take away for the FSO
Rare is the home computer that is hardened at the same level as the corporate provisioned device. If those entrusted with safeguarding data are to be left on their own to safeguard that data with their own devices and their own security processes and applications, then one should expect an experience as described above.
While BYOD (bring your own device) may make fiscal sense, one must ask, and ask in a most serious manner, is the mixing of personal and professional environments the same for each of your employees. One might make the case that this engineer, one of only four individuals with the most sensitive access should not have been allowed to access the LastPass environment with any device save for the device issued by LastPass, provisioned by LastPass, and used exclusively within the LastPass environment.
Who is securing the device you are using right now? You or your employer’s
